Is it possible to trigger user required action from keycloak user self service panel ( -/auth/realms/REALM/account ) ?
I've added the step for configuring mobile number (Actuall, taking ready project https://github.com/gwallet/keycloak-sms-authenticator and adding SMS code check step) and the phone number is configured first time the user logs in, but it is failing the possibility for user to change his number afterwards.
I can't simply add phone number to account panel, because the flow forces user to enter code sent with SMS, and then saves the number to user account. Without the flow defined by required action the user could make a typo and not be able to log in ever again.
Is it possible to add button / link with custom action triggering UserRequiredAction?
I am facing an issue with Keycloak:
When user clicks on Forget password button, he is asked to enter basic details. Once details are entered, the user receives a mail with link to change his password. User Changes his password, and is redirected to Login page of the application.
Users account gets locked. Admin uses application to unlock the account. User gets email, clicks on link, and generates new password. User now sees a message : Your account is successfully updated.
What I want to do is that the second flow should work in same way as the first one. i.e when user has given new password, he'd be redirected to login page.
Can someone guide me about how to proceed with this?
Difference I've noticed in two flows is the URL that I receive in both of them is different.
First flow, I get this in mail: http://[keycloak-host]/auth/realms/[realm]/login-actions/reset-credentials?code=[code]
Second flow, I get this URL: http://[keycloak-host]/auth/realms/[realm]/login-actions/execute-actions?key=[key]
I have requirement to send an email to user to change the password after 90 days using workflows . How can i do this ?
Look at the "password management" screen under the Admin menu. Its at the top of that screen.
in Admin Go To "Password Management" and below find "User-Generated Password Expiration", there you can set the expiration days.
i have one xib and that xib i put on username, password, and one button is login
and in the tabbar i have one tab bar which name is registration if i tab the registration it will go to server bec i have given the server path bec all form are create in ther to take user information which means username, password firstname and lastname this is on registration form
and now if the user submit this form on server
then i have to show pop message which show that u are now register after that
the login page should show which i show in xib in first line in there i have to fetch the data that data which the user created there username and password in server
this all fetch should hapen within the same time when the user submit the registertion form after that the login page should work but one condition is there suppose if the network is availble then the username and password should cheak wheather the same username and password are have or not on web server if the network is not there then which the user put ther username and password for login it should be match with the database table from local by using sqlite database in iphone
please help me friend in this how can i do this on same regitration and fetch the data with json and save in database localy
Touch up inside of your Login button can send a Async/Sync request to the server with entered user name and password. If you use Async then implement the NSURLdelegate methods.
Parse the response using NSXML parser
Once authenticated save the response in local database
Check the response for cases when network is not available and based on that take action in the handler for login button press.
Many sites implement different methods and I am having a hard time deciding on which method would work best for my site.
My user profiles contain the following data:
username
password (in hash/digest form)
email
I'd like the password reset method to be secure, user-friendly, and efficient.
You should add two fields, reset_code and reset_expiry
This is the process for a secure password reset functionality.
User selects "Forgot password".
User prompted for email/username.
If valid, generates a GUID, and stores it in reset_code and also stores Now()+24 hours in reset_expiry in the database against that particular user.
Then it sends an email to the email address with a link to confirm the password reset. This email would contain a link to your website with the user's username AND reset_code embedded. (This stops a malicious user resetting a third parties password just by knowing their email)
Once the user clicks on the link in the email, they will be directed to your website.
Your website will validate that: the username and reset_code matches, and the current time hasn't exceeded the reset_expiry time.
If all is okay, we can complete the password reset. This can be done by either:
a) Onscreen a new randomly generated password
b) A new randomly generated password via email
c) The ability to enter a password of his/her own choosing
You should not store the passwords of your users, not even in encrypted form. You should only store the hash/digest necessary for authentication. Then, you can't "recover" the password (because you don't know it), you can just reset it, and/or give the user a temporary one-time password that allows him to set a new password.
Update: if you are doing the above, the standard procedure is to have a "require-password-reset" form. The user enters his id (typically his email) and a "token" (eg, a random string) is generated, stored in some table with some expiration date, and sent to his email along with a link to the "password-reset" form. In this form the token is checked, the user is allowed to enter a new password, and instructed to attempt a new login.
Update 2: A small privacy issue might arise: What should we do if the user id (email, user name, or whatever) entered in the request form does not exist in our database? To output a message "User does not exist. Check the id and retry." may be ok, but in some cases it would cause a privacy problem: anyone can check if other someone is registered in your database! If you want to avoid that, you must output the same message ("a mail has been sent with instructions...") even if the user wasnt found (and hence a mail was not actually sent).
Similar privacy issues advise to just output the message "login incorrect : bad user or password" when the user tries to login unsuccessfully - don't disclose if it was an incorrect user or password.
I agree with Leonbloy. Storing the password leads to trouble like the Gawker incident from a few weeks ago (1.5 million userid/pwd combinations were discovered and published).
You should, however, have a "reset password" function that e-mails the new password to the original e-mail address used to open the account.
There should be no provision for changing the e-mail address during the password reset. If the user doesn't have access to the old e-mail account anymore, too bad. Abandon the account and start over.
And use a good Captcha on the reset screen.